{"service":"solidity-risk-lens","demo":true,"source":"pragma solidity ^0.8.20;\ncontract UnsafeVault {\n  function withdraw(address payable to, uint256 amount) external {\n    require(tx.origin == msg.sender, \"caller\");\n    (bool ok,) = to.call{value: amount}(\"\");\n    require(ok, \"transfer failed\");\n  }\n  function destroy() external { selfdestruct(payable(msg.sender)); }\n}","riskScore":78,"riskBand":"critical","findings":[{"severity":"critical","title":"Unprotected selfdestruct","line":8,"evidence":"selfdestruct(","impact":"Arbitrary destruction or forced value transfer may be possible.","recommendation":"Restrict or remove selfdestruct; verify upgrade and authorization paths."},{"severity":"high","title":"tx.origin authorization","line":4,"evidence":"tx.origin","impact":"tx.origin is unsafe for authorization and enables phishing through an intermediary contract.","recommendation":"Use msg.sender with explicit role or ownership checks."},{"severity":"high","title":"Unchecked low-level call","line":5,"evidence":".call{value:","impact":"External value call expands reentrancy and failure-handling risk.","recommendation":"Use checks-effects-interactions, a guard, and verify the return value."},{"severity":"low","title":"Floating pragma","line":1,"evidence":"pragma solidity ^","impact":"A floating compiler range can produce builds with different behavior.","recommendation":"Pin the audited compiler version for reproducible deployment."}],"note":"POST your own source to /v1/solidity-audit for $0.02 USDC via x402."}